We're moving into section eight, in which we're going to discuss prevention or mitigation of access control attacks. First let's explore an example. A major retailer. Let's walk through the various steps in which the hackers, who successfully made this attack, succeeded. The hackers originally gained access to the retailer's network by stealing access credentials via a phishing attack of a refrigeration contractor. The electronic interaction with the retailer was limited to billing, contract submission, and project management.

Now sophisticated and prolonged attack at the retailer simply means that it took on multiple forms, attempted to succeed across multiple pathways, and it took a period of time. Now once the attackers had infiltrated the retailer's network, they were able to distribute malware to thousands of point of sale machines designed to siphon off customer data, meaning identity and credit card information. Then they set up a control server within the retailer's internal network that acted as the central repository for the stolen credit card information. And then the stolen data was later uploaded from the retailer network to an FTP server. This, of course, was Target.

Now, in protecting the enterprise, this is going to be a multi-layered coordinated defense involving people, processes, and tools that span a wide variety. This will include your identity and access management system. They have to be able to prevent authentication attacks, and they have to be able to prevent access control attacks.

Now web applications themselves are quite readily exploited through attacks on the web. These rich interfaces make it possible for anyone on the internet to reach a web application and it makes them a very appealing target for attackers who want to gain access to others' data and resources. Being that these are largely used for e-commerce types of transactions, it makes them all that much more attractive.

The access control attack simply attacks to attempt to bypass or circumvent access control methods. And access control, as we know, begins with identification and authentication.

One form that builds up towards the circumvention of these controls is access aggregation. An attacker collecting multiple pieces of non-sensitive information and then combining, or aggregating, the pieces to learn sensitive information is able then to exploit multiple types of access control systems using that information.

Reconnaissance attacks are oftentimes preceding the access aggregation type. Access aggregation, having employed reconnaissance, combines multiple tools to identify elements of a system, such as IP addresses, open ports, running services, operating systems, and in the case of subjects, attempting to access different places where different pieces of information which reveal something about the subject would be available, such as nostalgia sites, LinkedIn, Facebook, and others.

The various forms of these attacks have multiple ways in which we can protect against them. For one thing, we want to control physical access to the system. An attacker having physical access to a platform would find it easier to overcome by virtue of the physical access than they would having simply logical access. Within these systems, of course, we need to control electronic access to password files and make sure that these files are never presenting their contents anywhere in the clear. We need to create a strong password policy, this, of course, has many benefits. One of which is it makes it difficult for anyone trying to guess passwords to guess them. It also creates the condition where a brute force type of an attack can take considerably longer. We use password masking, which defeats shoulder surfing. We can, as many enterprises have done, deploy multifactor authentication, which complicates the attacker's attempt by having to proceed along two lines, possibly even requiring a physical token or other means, thus possibly defeating it outright.

In our password policy, we have to set up account lockout controls, such as a limited number of attempts which, if failed, lock the account either until it's reset by an administrator or delaying its reset for a period of time. Using last logon notification tells the legitimate user when they log in, where the last login came from and if they know, it can tell them that it got logged in from a place other than where they know they logged in from last time.

We can use vulnerability scanners to scan our systems to see what information they reveal, what information passes, what intelligence that an attacker could be gaining through it. We, of course, have to actively manage the accounts to ensure that those that come in as new employees get provisioned correctly and those that terminate get their account suspended or eliminated promptly upon their departure.

We have many audit access controls and we need to be sure that we're using them. SIEMs or audit logs need to be accessed to divulge the information and intelligence that they actually have. So we need to actively pursue these. And of course, we should not overlook the importance of educating our users about security and training them in the various techniques that we need to strengthen the function of all of these different kinds of controls.